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A quick response code-based authentication method (QRAM) is proposed. 
QRAM is applicable for lots of internet of things (IoT) applications. QRAM 
aims to verify requests of such an access to IoT applications. Requests are 
made using a quick response code (QRC). To authenticate contents of QRC, 
users will scan QRC to access IoT applications. To authenticate contents of 


QRC, three procedures are applied. QRAM contributes to IoT automatic 
access systems or smart applications in terms of authentication and safety of 
Keywords: access. QRAM is evaluated in term of security factors (e.g., authentication). 
Computation time of authentication procedures for several IoT applications 
has become a considerable issue. QRAM aims to reduce computation time 
Data security . consumed to authenticate each QRC. Some authentication techniques still face 
Internet of Things difficulties when an IoT application requires fast response to users; therefore, 
QR code QRAM aims to enhance so to meet real-time applications. Thus, QRAM is 
compared to several competitive methods used to verify QRC in term of 
computation time. Results confirmed that QRAM is faster than other 
competitive techniques. Besides, results have shown a high level of 
complexity in term of decryption time needed to deduce private contents of 
QRC. QRAM also is robust against unauthorized requests of access. 
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1. INTRODUCTION 

Nowadays, many researches that deal with the use of quick response (QR) code in security-related 
services [1] have been reviewed. Some of these examples are included in [2-7]. The technology of quick 
response code (QRC) has been utilized by many applications [8-13]. The QRC is suitable for data privacy 
and can be a good tool to protect data [14] using encryption schemes. There are many applications that focus 
on data authentication in order to verify that data are originally issued and contents have not been changed in 
an authorized manner. 

Authentication is a very important consideration for several applications because it affects 
the performance of the system in term of security and confidentiality. Many other related security issues could 
also be affected in such a case authentication has not been securely and efficiently considered. Therefore, 
the proposed method in this paper aims to verify once an unauthorized modification has occurred or not. 
It has considered a number of verification procedures due to the information encrypted inside the QRC has to 
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be always private and confidential. Another reason that a secure authentication method is important 
for internet-of-things (IoT) application is that, this information inclusive in the QRC is used to access 
a data-sensitive IoT application. The proposed QR based authentication method (QRAM) in this paper is 
applied on QRC to verify security objectives. 

In literature review, many IoT applications have been proposed some of which have suggested 
and designed authentication systems and some others have performed evaluation procedures. From these, 
a number of QRC-based methods have been performing smart services utilizing the QRC itself. 
But the very important thing to consider is that: are these QRC-based IoT applications authenticated. 
For example, there exist many systems concern authentication, data privacy, and security such as internet 
of things (IoT) [15], smart applications [16], cryptography and data encryption [17, 18], data transfer [19], 
public key encryption scheme [20], and cloud computing resources’ authentication [21]. This has 
contributed to a smart life environment [22] in terms of data privacy, security, and computation time. 

In general, these proposed systems may fail to achieve a high level of security. One of the biggest 
issues is when the application becomes susceptible for unusual actions. However, there exist several attempts 
to propose secure applications e.g., [23, 24] in which their aims are to protect data and attain authentication. 
These examples have designed a QRC based authentication mechanism for users in order to prevent threats 
and to increase security of users’ private contents. 

The QRC is a very effective technology for many IoT applications in terms of safety and authenticity 
e.g., these reviewed in [25-28]. Thus, in [21] a QRC technology has been used in order to perform 
an authentication procedure for users engaged with an cloud computing environment. QRC has a good feature 
that is it can store a huge portion of information in a very small area. A lot of IoT applications can exploit such 
a feature and re-use it based on needs [29]. Many examples are in detailed reviewed in [7, 19, 30-40]. Therefore, 
these contents of QRC can be verified in terms of authentication and privacy. Usually, the verification process 
concerns contents of QRC. If contents of QRC have not been changed in an unauthorized manner, the privacy 
of QRC can be considered as attained and QRC is private. 

Therefore, related data needs to be private and secure. Additionally, the related applications should 
be confidential with the help of QRC technique. In order to do so, a strong security scheme needs to be 
and the verification process of QRC contents has to be precise. Hence, in this paper, the verification procedure 
with several security layers are considered. So, the verification procedure consists of a number of steps in order 
to increase the security of contents of QRC. The proposed QRAM is applied on QRC to verify security 
objectives. In addition, it verifies the authenticity of QRC. 

Simply, the QRAM has performed three authentication procedures each of which is applied to a single 
part of QRC content to produce its distinguished output. Once this procedure has been applied, the computation 
time is expected to be reduced. For security purposes, the verification procedures will stop immediately 
and will not go for the next layer’s verification if the following possibility has occurred which is: the case that 
one layer has produced a wrongly compared result. Thus, QRAM instantly halts the verification procedure. 

There are however many difficulties and challenges still. Thus, there have been research studies 
attempting to overcome those challenges. An example of those challenges might be a compensation of 
a technique to be fast-responsive to real-time IoT applications and robust enough against threats. Thus, in order 
to meet real-time applications, further enhancement is needed. Therefore, QRAM aims to enhance 
authentication procedures applied to IoT applications that depend on QRC in terms of computation time. 

The organization of this paper is presented as follows: in section 2, the proposed methodology 
of QRAM is in detail explained. Results and Discussion will be discussed in section 3. Conclusion is drawn 
in section 4. 


2. THE PROPOSED QRAM 

Simply, the proposed methodology of QRAM contains three types of authentication verification 
procedure. The first one is a user frequently-updated image (UJ) authentication, the second one is a user 
activity-derived number (UAN) authentication, and the third authentication is user_ID (UID). They are 
graphically presented and shown in Figure 1. The flowchart of QRAM is illustrated in Figure 2. 


2.1. UI authentication 

Each user will be assigned a distinctive QRC in order to be authenticated. In this procedure, 
the UI will be captured. The QRAM will process it and extract certain information and distinctive values. 
These values and information will be sent to the QRAM’s database in order to perform a real-time comparison. 
If the UI is identical to its corresponding values which are stored in database. The system will consider that 
the UI is authenticated and valid. Hence, the QRAM accepts the QRC and moves forward to check other 
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security factors with UAN and UID. Otherwise, the QRAM rejects the currently processed QRC and stops 
the whole procedure from being accessed by un-authorized parties. 
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Figure 1. A Graphical Overview of the Proposed QRAM 
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Figure 2. The Proposed QRAM Flowchart 


2.2. UAN authentication 

UAN contains two steps, which are encryption and verification, as shown in Figure 3. The proposed 
QRAM determines certain values to be encrypted first. Usually, values which are determined for encryption 
process are selected based on latest activities done by the user. Then, these values are mathematically re-produced 
using a pseudorandom number generator (PRNG). Then, they will be formalized as a mathematically ordered 
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numbers queued in an array. This array will be encrypted to produce an un-known number called user 
activity-derived number (UAN). The whole above-mentioned process inclusive the encryption scheme is 
performed periodically. Every time, the QRC is generated, the new UAN is included in order to make sure that 
the QRC is always updated and contains new input values e.g., UAN. 

UAN is verified by the QRAM to make sure that UAN is created using recently active values. 
If the UAN has been encrypted using recent values, that means the QRC is new and surely is different from 
the currently used one. That is because the UAN is one of the QRC’s inputs. Thus, the database is updated and 
the authentication process compares its new values to QRC values once the user is required by the system to 
send requests. 
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Figure 3. The UAN Flowchart (encryption left-hand side and verification right-hand side) 


2.3. UID authentication 

In this procedure, there will be a lookup table designed to store all encrypted information such 
as UAN, E (key, Ar), Ta, and Torc. These values are recalled once an access has been made by the user and 
when the QRC is scanned. The UID verification will be carried out using this table. Selected values will be 
chosen to perform a comparison between UID stored in this table to UID encrypted inside the QRC. This is 
discussed as follows: 

Each user is assigned a distinctive UID that was previously produced. This UID is stored in the offline 
database. To make sure whether the user has entered the correct UID or not, a mathematical procedure is 
applied. The following steps can add more clarification, explained as follows: 

- Two neighboring users UIDs located as a predecessor and successor with index-values as: user_id(i — 1) 
and user_id(i + 1), respectively, are selected; marked in Figure 4. 

- Extract binary values (UID,.;, and UID.) for UID(i — 1) and UID (i + 1), respectively, by applying (1) 
and (2): 


UID,- = binary(UID(i — 1)) (1) 


UIDp,; = binary(UID(i + 1)) (2) 
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- Apply (3) and (4) to normalize binary values to a certain length of digits: 
id_lnormatizea = Norm(UIDp_1) (3) 
id_2normalizea = Norm(UIDp+1) (4) 


when the UID,_, being normalized, the value will be compared to all values stored in lookup table in order to 
guarantee there will be no similarity between any two digital numbers. Meaning each id_i will be distinctive 
from all ith values for any UID_ith value; thus: Vi E€ {id_i |0 < i < USerSmax}- 

where, 

- id_irepresents the UID number for the user (i), 

- USeTSmax İS the number of users registered in database. 

The following inequation becomes true to store related values in the lookup table for authentication purposes. 


id (i — 2) + id_(i— 1) + id_(i) + id_(i+ 1) + id_(i +2) + + + id_(Ùth 


This is to produce a distinctive hash value in the next step. 
- Apply (5) on these two index-values to obtain hash values: 
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Figure 4. UID(i) and its Neighboring UIDs’ table 


3. RESULTS AND DISCUSSION 

In this section, the performance of the proposed QRAM will be anlaysed. The obtained results after 
the QRAM has been applied will be discussed and evaluated. The QRAM will be evaluated in term of 
authentication and computation time. 


3.1. Authentication 
The QRC contents are verified and authenticated. Usually contents of QRC stored in database will be 
compared to QRC owned by the user. The content of UAN-based verification will be considered. This procedure 
takes into account the following considerations while the QRC is authenticated, which are as follows: 
- Time of issue of QRC; Torc 
- Time of user activities recordings; Ta 
- UANaiatabase is compared to UAN stored inside the user’s QRC, UAN user; 
- Encrypted values will be decrypted; 
The pseudo-code of the UAN-based authentication is shown in Algorithm 2 to add more explanation of security 
factor analysis; i.e., authentication. 
Algorithm 1: UAN authentication pseudo-code as a verification tool 


set variables as T=0, QRC=False; 
call following functions: £ (Tore), £ (2a), £ (ER (key, AE); 
decrypt QRC owned by the user; //QRCuser 
decrypt ORO stored inside database; //QRCaatabase 
extract UANuser 
extract UANaatabase 
If (UANuser==UANaatabase) {// to ensure if QRC is old 

If (Torc<Ta) 

If (Timer==True) { 
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T=1; 
QRC=True; } 
Else 
T=0; 
Else 
QRC is true but QRC is old and no more is used; } 
Else 
QRC is expired; 
End If 
If (T==1) 
message="Request is Accepted"; 
Else 
message="Request is Rejected"; 
HGL aise 


Algorithm 1 ensures that there is no modification on contents of QRC in terms of its date of issue. 
Therefore, it adds an if-statement based condition: if (Timer==True). If this condition is true, then T=1 
and authentication is accepted in terms of validity and expiry date. That surely means the QRC is 
successfully updated. 


3.2. Computation time 

QRAM in term of computation time is evaluated. The computation time needed to perform one 
operation (i.e., inclusive UI, UAN, and UID authentication) on a single QRC is considered. Simply, related 
computation time(s) are calculated using C++ time functions. The obtained computation time is compared to 
several competitive techniques as shown in Table 1. 

As noticeable in Table 1, the computation time of QRAM is less than certificate and [23]’s methods. 
The blue color fields show the techniques have used in comparison. The green color fields show how many 
QR codes have been used in experiment, i.e., samples size. The yellow color fields show the computation time 
consumed for each technique per every sample size. The red color fields show the averaged computation time 
for all techniques. It is obviously clear that the proposed QRAM comes in the 2™ rank amongst other techniques 
with an averged computation time equals to 293.64 mS with 1.696 times faster than the certificate technique. 
For a more clarification, performance evaluation of the proposed QRAM is provided in which it is compared 
to other competitive techniques as shown in Figure 5. As shown in Figure 5, the proposed QRAM’s 
computation time is located in the second rank. 


Table 1. QRAM computation time compared to other techniques; time in millisecond (mS) 
Technique 
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[23] 

Certificate 
Proposed QRAM 








Evaluation (Computation Time) 


Certificate 


Computation Time (mS) 
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Figure 5. Performance evaluation in terms of computation time 
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3.3. Robustness based on key length against brute force attack 

Length of secret key is evaluated. The QRAM has adopted two different key-lengths with sizes of 320 
and 384 bits. This evaluation supposes that when the QRAM has used a key of length equals to 320 and 384 
bits, the decryption time of brute force attack-based scheme needs about 3.4x107 and 6.3x10% years, 
respectively. Thus, QRAM is robust. 


4. CONCLUSION 

This paper has proposed a simple verification method utilizing QRC to authenticate its contents. 
QRAM purpose is to apply several steps applied on several layers to increase security of contents of an IoT 
application. There will be three verification procedures implemented to do so which are: UI, UAN, and UID. 
This proposed mechanism also aims to reduce the computation time. QRAM by then makes a decision either 
to accept or reject such a request of an access to the related IoT application. A request of an access is made 
using a QRC and therefore the QRAM securely authenticates contents of QRC. Results confirmed that 
the QRAM is faster than other competitive techniques. In addition, results have shown a high level of 
complexity in terms of decryption time needed to deduce the QRC’s secret key. Obtained results confirmed 
that the QRAM is robust against unusual threats and potential actions. The QRAM is important to work with 
applications which require online verification processes. Future works are dedicated to enhance computation 
time to work in a faster environment under complex scenarios e.g., when there are more than two parties 
requiring a response in a same time. 
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